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Abstract. In this paper we revisit some major orthodoxies which lie at 
the heart of the bitcoin crypto currency and its numerous clones. In par- 
ticular we look at The Longest Chain Rule, the monetary supply policies 
and the exact mechanisms which implement them. We claim that these 
built-in properties are not as brilliant as they are sometimes claimed. 
A closer examination reveals that they are closer to being... engineering 
mistakes which other crypto currencies have copied rather blindly. More 
precisely we show that the capacity of current crypto currencies to re- 
sist double spending attacks is poor and most current crypto currencies 
are highly vulnerable. Satoshi did not implement a timestamp for bit- 
coin transactions and the bitcoin software does not attempt to monitor 
double spending events. As a result major attacks involving hundreds of 
millions of dollars can occur and would not even be recorded, cf. [10]. 
Hundreds of millions dollars have been invested to pay for ASIC hash- 
ing infrastructure yet insufficient attention was paid to insure that the 
protection layer it promises is effective and cannot be abused. 
In this paper we develop a theory of Programmed Self- Destruction of 
crypto currencies. We observe that most crypto currencies have man- 
dated abrupt and sudden transitions. These affect their hash rate and 
therefore their protection against double spending attacks which we do 
not limit the to the notion of 51 % attacks which is highly misleading. 
In addition we show that smaller bitcoin competitors are substantially 
more vulnerable. In addition to small hash rate, many bitcoin competi- 
tors mandate incredibly important adjustments in miner reward. We 
exhibit examples of 'alt-coins' which validate our theory and for which 
the process of programmed decline and rapid self-destruction has clearly 
already started. 

Keywords: electronic payment, crypto currencies, bitcoin, alt-coins, 
Litecoin, Dogecoin, Unobtanium, double-spending, monetary policy, min- 
ing profitability 



1 Bitcoin and Bitcoin Clones 

Bitcoin is a collaborative virtual currency and payment system. It has been 
launched in 2009 [14] based on earlier crypto currency ideas [1,7]. Bitcoin im- 
plements a certain type of peer-to-peer financial cooperative without trusted 
entities such as traditional financial institutions. Initially bitcoin was a sort of 
social experiment, however bitcoins have been traded for real money for several 
years now and their price have known a spectacular growth. 

Bitcoin challenges our traditional ideas about money and payment. Ever 
since Bitcoin was launched [14, 15] in 2009 it has been clear that it as an experi- 
mental rather than mature electronic currency ecosystem . A paper at Financial 
Cryptography 2012 conference explains that Bitcoin is a system which uses no 
fancy cryptography, and is by no means perfect [2] . In one sense it is still a play 
currency in early stages of development. The situation is even worse for bitcoin 
competitors. Their authors and promoters typically just copy features of bitcoin 
without any deeper insight into their consequences. 

In this paper we are going to see that the exact same rules which might after 
all work relatively well (at least for some time) for a large dominating crypto 
currency such as bitcoin, is rather disastrous for smaller crypto currencies. 

On the picture below we explain the organization of this paper. 



How bitcoin works: Section 3 
Mining as investment: Section 2 
Longest Chain Rule: Section 4- 



Deflationary monetary policies, 
growth coins, sudden jumps, 
mining income vs. fees: Section 5. 



Attacks based on the longest chain 
rule: Section 6. Alternative solution 
for double spending: Section 7. 



Cloud mining bitcoin economics, 
competing crypto currencies 
environment: Section 2, 5 and 10. 




Malicious pool managers can 
execute attacks secretly due to a 
technicality: Section 8. 



Sudden shocks and predicted decline or/and self-destruction of crypto currencies, 
monopoly/weakness situations: Sections 5-12. 



Case studies: Unobtanium: Section 
10, Litecoin, Dogecoin: Section 11 



Future of bitcoin, exact predicted 
dates: Section 12. 



Solutions, better crypto currencies: 
Sections 5, 7 and the Conclusion 



Fig. 1. Our roadmap: risks and dangers of bitcoin and other digital currencies. 



2 Bitcoin As A Distributed Business: Its Key 
Infrastructure and Investor Economics 

Bitcoin digital currency [14] is an electronic payment system based on cryptog- 
raphy and a self-governing open-source financial co-operative. Initially it was 
just a social experiment and concerned only some enthusiasts. However eventu- 
ally a number of companies have started trading bitcoins for real money. One 
year ago, in April 2013, the leading financial magazine The Economist have 
recognized bitcoin as a major disruptive technology for finance and famously 
called bitcoin "digital gold". We can consider that the history of bitcoin as a 
mainstream financial instrument starts at this moment. 
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Fig. 2. The bitcoin market capitalization in the last 12 months. 



Our starting point of April 2013 coincides more or less with bitcoin achiev- 
ing prices of 50 USD (and above), the market capitalization exceeding 1 billion 
dollars, and an important shift in the nature of the ownership of the bitcoin in- 
frastructure. In a great simplification, before April 2013, one bitcoin was rarely 
worth more than 5-50 dollars, and new bitcoins were produced by amateurs on 
their PCs. Then bitcoin rapidly switched to the phase where new bitcoins are 
produced by a smaller group of some 100,000 for-profit 'bitcoin miners' which 
people have invested money to purchase specialized equipment, the only pur- 
pose of which is to produce new bitcoins. A new sort of high-tech industry has 
emerged: the production of machines able to produce bitcoins. Such machines 
are called miners and are increasingly sophisticated [5] . 

These last 12 months of bitcoin history, April 2013- April 2014, have seen an 
uninterrupted explosion of investment in bitcoin infrastructure. Surprisingly 
large sums of money have been spent on purchasing new mining equipment. 
All this investment has been subject to excessively rapidly decreasing returns: 
bitcoin mining is a race against other miners in order to be able to earn a fairly 
limited fraction of newly created bitcoins. We examine these questions in detail. 



2.1 Investment in Hashing Power and Incredible lOOOx Increase 



The combined power of bitcoin mining machines have been multiplied by 1000 
in the last 12 months cf. Fig. 3. However due to built-in excessively conservative 
monetary policy cf. [5], during the last 12 months, miners have been competing 
for a modest fraction of bitcoins yet to be generated. The number of bitcoins in 
circulation has increased only by 15 %, from 11 million to 12.6 million. 
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Fig. 3. The combined computing power in the collectively owned bitcoin 'hashing in- 
frastructure' has nearly doubled each month and overall it has increased 1000 times 
in the last 12 months while the monetary supply has increased only by 1 % each 
month. The mining profitability has also been eroded accordingly. The income from 
any existing miner was divided by half nearly every month, cf Section 2.2. 

A 1000-fold increase in hash power is a very disturbing fact. We lack precise 
date in order to see how much of this increase was due to improved technology 
(important increase in the speed of bitcoin mining machines, cf. [5]), and how 
much was due to a surge in investment: more customers and more orders. It is 
however certain that a monumental amount of money has been invested in 
these bitcoin ASIC miner machines. It is not easy to estimate it accurately. If 
we consider that the current hash rate is composed primarily of KNC Neptune 
28 nm miners shipped in December 2013 which for the unit price of 6000 USD 
can deliver some 0.5 TH/s, we obtain that miners have spent in the last 4 
months maybe 600 millions of dollars on some 120,000 ASIC machines which are 
already in operation . In addition knowing that miners are typically ordered a 
few months in advance, it is quite plausible to assume that miners have spent 
already more than 1 billion dollars on ASIC miners. 

As we have already explained, we don't know exactly how this investment 
has evolved with time. However the near-doubling of the hash rate every month 
does certainly mean one thing: excessively rapid decline in mining revenue 
for every existing ASIC machine. 

1 If we consider that more recent miners with capacities between l-3TH/s for the same 
price were already available to some privileged buyers many months before officially 
sold on the retail market, the total cost could be less than our 600M USD estimation. 



2.2 Investors Facing Incredibly Fast Erosion of Profitability 



This is due to the fact all miners are in competition for a fixed number of 
bitcoins which can be mined in one month, the rule of thumb is that exactly 25 
bitcoins are produced every 10 minutes. Doubling the hash rate means dividing 
the income by 2 each month. It means that investors can only hope for fast 
short-term gains, and that their income tends to zero very quickly. 

Let us develop this argument further. Imagine that a miner invests 5,000 
USD and that the income from mining in the first month was 2,000 USD. Is 
this investment going to be profitable? Most investors will instinctively believe 
it will be. However in actual bitcoin it isn't. In the recent 12 months the hash 
power has been decreasing approximately twice each month. We need to look at 
the following sum: 

1 1 1 
1+ 2 + 4 + 8 + '-- = 2 
We see that the total income is only twice the income for the first month. 
This is not a lot. In our example the investor will earn only 4,000 USD and has 
spent 5,000 USD. The investor does not make money, he makes a loss. 

2.3 Dividend From Hashing 

It is easy to know exactly how much money was already earned by miners in 
freshly minted bitcoins multiplied by their present market price. 
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Fig. 4. The daily market price of freshly created bitcoin coins in the last 12 months. 

If we estimate the area under Fig. 4 we see that currently all miners combined 
make some 60 millions of dollars only per month and have been paid roughly 
some 400 million dollars in mining dividend most of which was earned in the last 
4 months. We neglect the price of the electricity. Contrary to what is suggested 
by some press reports [13]. this price has so far remained relatively low in bitcoin 
mining compared to the high prices of ASIC miners, which prices needed to be 
amortized over surprisingly short periods of time of not more than few months 
as shown in Section 2.2. 



2.4 Investors' Nightmare 

The market for ASIC miner machines is far from being fair and transparent. 
There is only a handful of ASIC companies and from their web pages it seems 
that they might have manufactured and sold only a few thousands units each. 
In fact it is believed that many manufacturers of ASIC miners have omitted to 
tell their customers what the actual size of their production was. It is clear that 
the actual production of ASIC miners have been much higher, as shown by the 
hash rate, cf. Fig. 3. Most manufacturers worked with pre-orders. Customers 
were never able to know when machines are going to be delivered and how 
much the hash rate would increase in the meantime. Many manufacturers have 
had important delays in delivery, frequently 6 months, and up to 12 months. 
Such delays decrease the expected income from mining by an incredibly large 
factor. We give some examples which are slightly simplified for the purpose of 
this paper, however they are made to be as realistic as possible, and as faithful 
as possible, and are based on personal experiences of ourselves and our friends: 

1. If for example a miner have ordered his device from ButterflyLabs and the 
device is delivered 12 months later. He earns roughly 1000 times less than 
expected (at least with historical data, cf. Fig. 3), and even if the price of 
bitcoin rises 10 times during this period, he still earns maybe 100 times less 
than expected (!). 

2. Contrary to what most people think, ButterflyLabs are not the worst. Many 
miners ordered devices from suppliers which do NOT even exist, and were 
pure criminal scams, even though they advertise on the Internet and their 
machines are frequently compared to legitimate ASIC manufacturers on web 
sites such as https : / /en. bitcoin. it/wiki/Mining_hardware_comparison 
which have NOT attempted to distinguish between criminal scams and gen- 
uine manufacturers. See Appendix of [6] and http : //bitcoinscammers . com 
for specific examples. 

3. In another example a miner have ordered his device from BITMINE.CH and 
the device was delivered with 6 months delay. He earns roughly 64 times 
less than expected and even if the price of bitcoin rises 4 times during this 
period, and even if BITMINE.CH compensates customers by increasing their 
hash rate by 50 % or more for late delivery, he still earns maybe 10 times 
less than expected (!). 

4. In another example a miner have ordered his device from KNC miner or 
Cointerra, and the device was delivered with just one month delay compared 
to the predicted delivery date. Then the miner earns just half of what was 
expected, which is already problematic but might be OK. 

Overall it is possible to see that most miners were mislead when they ordered 
the ASIC machines. Miners were probably confused to expect that the mining 
profitability was going to be much bigger than what they obtained later on, 
at the moment when they would eventually receive their machines and start 
mining. Accordingly many people lost money in bitcoin mining business (see 
also Section 2.3). In addition, many of those who made some money, have seen 
their bitcoins disappear in large-scale thefts, cf. [10]. 



2.5 Bitcoin as Medium of Exchange 



It appears that bitcoin is not used a lot as a currency or payment instrument. 
The number of transactions in the bitcoin network is NOT growing, cf. Fig. 5 
and it can sometimes decrease. 
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Fig. 5. The average number of transactions per day has remained relatively stable in 
the last 12 months. It remains between 40,000 and 80,000 and it can decline rather 
than increase during certain months of activity. 



It is hard to estimate how much of bitcoin economy is a result of actual 
transactions (cf. Fig. 6 below) which are unrelated to the transactions very 
closely related to bitcoin mining (cf. yellow circles on Fig. 6). 
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Fig. 6. Bitcoin transactions displayed in real time over a period of 15 minutes. Each 
circle represents a single transaction, a yellow circle is the initial 25 BTC mining event, 
red transactions are those which are identified as currency exchange transactions (it is 
probably impossible to identify all such transactions) and blue circles are all the other 
transactions. 



On the one hand, it is easy to see that bitcoin mining events produce a stream 
of fresh bitcoins (cf. yellow circles on Fig. 6). However these bitcoins generate sev- 
eral child transactions, large and small, due to subsequent transfers, pooled min- 
ing, currency exchange and final storage operations. On the other hand various 
statistics about the combined output of all bitcoin transactions such as displayed 
by blockchain. info are not very meaningful because they include the amounts 
of money the owners of bitcoins must return to themselves in great majority of 
existing bitcoin transactions, and these amounts can be substantially higher than 
the actual amount of bitcoins spent in the actual transactions, which makes that 
these figures are very high and do NOT reflect at the actual bitcoin economy. 
Some intuitive idea about the size of the bitcoin economy can be deducted from 
the real-time graphs produced by http://www.bitcoinmonitor.com/ as shown 
on Fig. 6. 

2.6 Analysis of Bitcoin From The Point of View of Investors 

We consider that until now the bitcoin business was primarily about some in- 
vestors (A) spending some 1000 million dollars on mining hardware, and other 
investors (B) which preferred to buy or use these newly created bitcoins for 400 
million dollars and holding them. This is based on the assumption that a large 
fraction of decisions of buying bitcoins were rather investment decisions (hold- 
ing bitcoins for profit) rather than resulting from rapidly growing adoption of 
bitcoin in e-commerce which is not the case, cf. Fig. 5. It is not entirely clear if 
this assumption is reasonable to make and it requires further research. 

We can now argue that the second group (B) has potentially spent MUCH 
more than 400 million dollars. This is due to the fact that only a small fraction 
of bitcoins was manufactured in the last 12 months. Investors who in the last 12 
months have purchased newly created bitcoins for 400 million dollars (due to Fig. 
4) have also purchased a lot more bitcoins from previous owner of bitcoins who 
are free riders: people who have paid/invested very little mining or purchasing 
some bitcoins earlier. We lack any precise data but in order to be able to pay 
some 400 M in to miners (A) 2 , investors (B) must have injected into the bitcoin 
economy a possibly much larger sum of cash money (dollars). Let us assume 
that this was 2 billion dollars. This amount is hard to estimate from available 
data but it is probably a small multiple of 600 M and it cannot be higher than 
5 billion dollars, the peak value at Fig. 2. 

We can observe that the reason why so much money was made by owners 
of older coins was the monopoly rent: miners (A) were convinced to mine for 
this particular crypto currency which has influenced further investors (B) to 
provide additional funds also for this market. It is probably correct to assume 
that this is substantially more than the total amount of money invested in mining 
Litecoin and other crypto currencies, based on the fact that the total Market 
capitalization of all alternative currencies combined remains small compared to 
bitcoin, cf. http://www.cryptocoincharts.info/v2/coins/info. 



2 which has paid for some of their 600+ millions of dollars in hardware expenses 



Both investment decisions (A,B) have been made on expectation that the 
bitcoin market price will rise. In fact during the last 12 months the price has 
been increasing (a lot) just during just one month at the end of 2013, after which 
we have seen a long painful correction cf. Fig. 2. 

The idea that bitcoin market price in dollars will appreciate in the future is 
based on several premises which in our opinion are more irrational than rational: 

1. Bitcoin is expected to imitate the scarcity of rare natural resources such as 
Gold [11] and for this purpose bitcoin has a fixed monetary supply. 

2. However the scarcity of bitcoins is not natural, it is artificial. It is mandated 
by the bitcoin specification and software [14, 15]. This property is not written 
in stone. It is frequently criticized [5, 20] and it CAN be changed if a majority 
of miners agree, cf. [5]. 

3. Investors might be overestimating the importance of bitcoin in the economy 
in the future: the adoption of bitcoin as a currency or payment instrument 
cf. Section 2.5. 

4. This expectation does not take into account the 'alt-coins' (competitors 
to bitcoin). Alt-coins clearly break the rule of fixed monetary supply of 
coins and can be created at will. It cannot be guaranteed that the current 
monopoly situation of bitcoin is going to last. 

Various surveys show that about 50 % of people involved with bitcoin do very 
naively believe that bitcoin will be worth 10,000 USD at the end of 2014 [17]. 



2.7 What Does This Monumental Investment Pay For? 

We have estimated that for-profit bitcoin miners (A) have invested some 1 ,000 
M dollars in bitcoin infrastructure, while at the same time other investors (B) 
have invested a yet larger sum of cash money, maybe 2,000 M on buying bitcoins 
probably driven by a naive 3 expectation that they will rise in the future. 

Now the interesting question is, what these monumental investments pay 
for? Knowing that the bitcoin adoption as a medium of exchange is not expand- 
ing as suggested by Fig. 3 these investments went mostly into building an 
excessive quantity of hashing power (lOOOx increase). In [20] Scams writes: 

"The amount of capital collectively burned hashing fixes the capital out- 
lay required of an attacker to obtain enough hashing power to have a 
meaningful chance of orchestrating a successful double-spend attack on 
the system [...] The mitigation of this risk is valuable, [...]" 

We have this expensive and powerful hashing infrastructure. We could call 
it (ironically) the Great Wall of Bitcoin which name is justified by the fact 
that bitcoin miners have invested roughly about 1 billion dollars to build it and 
it is expected to protect bitcoin against attacks. This leads to the following 
working hypothesis which is really about economics of information security and 
which we will later dispute. Maybe one must spend a lot of money on the 
bitcoin hashing infrastructure in order to achieve good security. Maybe there is 
a large cost associated with building a global distributed financial infrastructure 
totally independent from governments, large banks, the NSA, etc. Maybe one 
can hardly hope to spend less and security against double spending attacks has 
some inherent price which needs to be paid. 

We claim that this sort of conclusion is MISTAKEN and the devil is in the 
details. In this paper we are going to show that the amount of money needed 
to commit for-profit double spending attacks remains moderate, it has nothing 
to do with the 600 M dollars spent on ASIC miners in activity. It is a fallacy to 
consider that money burnt in hashing could or should serve as effective protection 
against attacks. This is because money at risk, for example in large transactions, 
can be substantially larger than the cost of producing a fork in the block chain. 
We claim that nearly anybody can commit double spending attacks, or it will 
become so in the future. We claim that the current I billion dollar investment 
in bitcoin infrastructure is neither necessary nor sufficient to build a secure 
digital currency. It simply does NOT serve as effective protection and does 
not deliver the security benefits claimed. This is due to misplaced ideology such 
as the so called The Longest Chain Rule, important technicalities and lack of the 
most basic features in Satoshi bitcoin specification. We intend to show that it 
is possible to fix the double spending problem in bitcoin with cryptography and 
timcstamping, and the cost of doing so is in general much lower than expected. 



3 The bitcoin market price is rather going down ever since December 2013 cf. Fig. 2. 



3 Short Description of How Bitcoin Works 



We have essentially one dominant form of bitcoin software [15] and the primary 
"official" bitcoin protocol specification is available at [19]. However bitcoin be- 
longs to no one and the specification is subject to change. As soon as a majority 
of people run a different version of it, and it is compatible with the older software, 
it becomes the main (dominating) version. 

Bitcoin is a sort of distributed electronic notary system which works by con- 
sensus. We have a decentralized network of nodes with peer-to-peer connections. 
The main functionality of bitcoin it to allow transfer of money from one account 
to another. At the same time network participants create new coins and perform 
necessary checks on previous transactions which are meant to enforce "honest" 
behavior. Integrity of bitcoin transactions is guaranteed by cryptographic hash 
functions, digital signatures and a consensus about what is the official history 
of bitcoin. Below we provide a short, concise description of how bitcoin works. 

1. We have a decentralized network of full bitcoin nodes which resembles a 
random graph. Network nodes can join and leave the network at any moment. 

2. Initially, when bitcoins are created, they are attributed to any network node 
willing and able to spend sufficient computing power on solving a difficult 
cryptographic puzzle. We call these people "miners" . 

3. It is a sort of lottery in which currently 25 bitcoins are attributed to one and 
unique "winner" every 10 minutes. 

4. With time this quantity decreases which has been decided by the creator(s) 
of bitcoin in order to limit the monetary supply of bitcoins in the future. 

5. The legitimate owner of these 25 bitcoins is simply identified by a certain 
public key (or several public keys). 

6. A public ledger of all transactions is maintained and it is used to record all 
transfers of bitcoins from one account (one public key) to another. 

7. Bitcoins are divisible and what is stored on the computers of the network 
participants are just the private keys. 

8. The amount of bitcoins which belongs to a given key at a given moment is 
stored in the public ledger, a copy of which is stored at every full network 
node application and constantly kept up to date. 

9. Miners repeatedly compute a double SHA-256 hash H2 of a certain data 
structure called a block header which is a combination of events in the recent 
bitcoin history and which process is described in more detail in [5, 19]. 

10. This H2 must be such that when written as an integer in binary it will have 
some 64 leading zeros which corresponds to the difficulty level in the bitcoin 
network at a given moment (cf. [5]). 

11. The difficulty level can go up and down depending on how many people 
participate in mining at a given moment. It tends increase and it does rarely 
decrease 4 . 

4 In bitcoin it has increased at truly unbelievable speed, cf. Fig. 3. In other crypto 
currencies it is more likely to decrease in a substantial way as we will see in this 
paper 



12. More precisely, in order to produce a winning block, the miner has to generate 
a block header such that its double SHA-256 hash H2 is smaller than a certain 
number called target. 

13. This can be seen as essentially a repeated experiment where H2 is chosen 
at random. The chances of winning in the lottery are very small and pro- 
portional to one's computing power multiplied by 2~ 64 . This probability 
decreases with time as more miners join the network. The bitcoin network 
combined hash rate increases rapidly, see Fig. 3. 

14. If several miners complete the winning computation only one of them will 
be a winner which is decided later by a consensus. 

15. Existing portions of the currency are defined either as outputs of a block 
mining event (creation) or as outputs of past transactions (redistribution of 
bitcoins). 

16. The ownership of any portion of the currency is achieved through chains of 
digital signatures. 

17. Each existing quantity of bitcoin identifies its owner by specifying his public 
key or its hash. 

18. Only the owner of the corresponding private key has the power to transfer 
this given quantity of bitcoins to other participants. 

19. Coins are divisible and transactions are multi-input and multi-output. 

20. Each transaction mixes several existing quantities of bitcoins and re-distributes 
the sum of these quantities of bitcoin to several recipients in an arbitrary 
way. 

21. The difference between the sum of inputs and the sum of all outputs is the 
transaction fee. 

22. Each transaction is approved by all the owners of each input quantity of 
bitcoins with a separate digital signature approving the transfer of these 
moneys to the new owners. 

23. The correctness of these digital signatures is checked by miners. 

24. Exactly one miner approves each transaction which is included in one block. 
However blocks form a chain and other miners will later approve this block. 
At this moment they should also check the past signatures, in order to pre- 
vent the miner of the current block from cheating. With time transactions 
are confirmed many times and it becomes increasingly hard to reverse them. 

25. All this is effective only for blocks which are in the dominating branch of 
bitcoin history (a.k.a. the Main Chain). Until now great majority of events 
in the bitcoin history made it to become the part of this official history. 

26. In theory every bitcoin transaction could later be invalidated. A common 
solution to this problem is to wait for a small multiple of 10 minutes and 
hope that nobody will spend additional effort just in order to invalidate one 
transaction. These questions are studied in more detail in Section 6. 

27. Overall the network is expected to police itself. Miners not following the 
protocol risk that their blocks will be later rejected by the majority of other 
miners. Such miners would simply not get the reward for which they work. 

28. There is no mechanism to insure that all transactions would be included by 
miners other than the financial incentive in the form of transaction fees. 



29. There is no mechanism to store a complete history of events in the network 
other than the official (dominating) branch of the block chain. Memory about 
past transactions and other events in the network may be lost, cf. [10]. 

4 Asynchronous Operation And The Longest Chain Rule 

According to the initial design by Satoshi Nakamoto [14] the initial bitcoin sys- 
tem is truly decentralized and can be to a large extent asynchronous. Messages 
are broadcast on the basis of best effort. Interestingly the system can support 
important network latency and imperfect diffusion of information. Information 
does not have to reach all nodes in the network in the real time and they could 
be synchronized later and can agree on a common history at any later moment. 

The key underlying principle which allows to achieve this objective is the 
Longest Chain Rule of Satoshi Nakamoto [14]. It can be stated as follows: 

1. Sometimes we can have what is called a fork: there are two equivalent solu- 
tions to the cryptographic puzzle. 

2. Currently a fork happens less than 1 % of the time, see Table 1 in [6]. However 
it clearly could and would be more frequent in poor network conditions or 
due to certain attacks, cf. [12,6]. 

3. Different nodes in the network have received one of the versions first and 
different miners are trying to extend one or the other branch. Both branches 
arc legitimate and the winning branch will be decided later by a certain type 
of consensus mechanism, automatically without human intervention. 

4. The Longest Chain Rule of [14] says that if at any later moment in history 
one chain becomes longer, all participants should switch to it automatically. 

With this rule, it is possible to argue that due to the probabilistic nature of 
the mining process, sooner or later one branch will automatically win over the 
other. For example we expect that a fork of depth 2 happens with the frequency 
which is the square of previous frequency, i.e. about 0.01 % of the time. This 
is what was predicted and claimed by Satoshi Nakamoto [14]. This is precisely 
what makes bitcoin quite stable in practice. Forks are quite rare, and wasted 
branches of depth greater than one are even much less frequent, see Table 1 in 
[6]. All this is however theory or how the things have worked so far in recent 
bitcoin history. In practice it is more complicated as we will see in this paper. 

4.1 Why Do We Have This Rule? 

It is remarkable that in bitcoin literature this rule is taken for granted without 
any criticism. For example in the very highly cited recent paper [12] we read: "To 
resolve forks, the protocol prescribes miners to adopt and mine on the longest 
chain." . In this paper we are going to show that this rule is highly problematic 
and it it leads to very serious hazards. 



4.2 Genius or Engineering Mistake? 

It is possible to see that this consensus mechanism in bitcoin has two distinct 
purposes: 

1. It is needed in order to decide which blocks obtain a monetary reward and 
resolve potentially arbitrarily complex fork situations in a simple elegant and 
convincing way. 

2. It is also used to decide which transactions are accepted and are part of 
official history while some other transactions are rejected (and will not even 
be recorded, some attacks could go on without being noticed, cf. [10]). 

Here is the crux of the problem. The creator of bitcoin software Satoshi 
Nakamoto has opted for a solution of extreme elegance and simplicity, one single 
(longest chain) rule which regulates both things. This is neat. 

However in fact it is possible to see that this is rather a mistake. In principle 
there is NO REASON why the same mechanism should be used to solve both 
problems. On the contrary. We need to observe that the transactions are gen- 
erated at every second. Blocks are generated every 10 minutes. In bitcoin the 
receiver of money is kept in the state of incertitude 5 for far too long 
and this with no apparent reason. 

The current bitcoin currency produces a situation of discomfort and depen- 
dency or peculiar sort. Miners who represent some wealthy people in the bitcoin 
network, are in a privileged position. Their business of making new bitcoins has 
negative consequences on the smooth processing of transactions. It is a source of 
instability which makes people wait for their transactions to be approved for far 
too long time 5 . We claim that it should be possible to design a better mechanism 
in bitcoin, which question we will study later in Section 7.1. 

4.3 Consensus Building 

The common history in bitcoin is agreed by a certain type of democratic con- 
sensus. In the initial period of bitcoin history people mined with CPUs and the 
consensus was essentially of type one CPU one vote. However nowadays people 
mine bitcoins with ASICs which are roughly ten thousand times more powerful 
than CPUs (more precisely they consume ten thousand times less energy, cf. 
[5]). Bitcoin miners need now to invest thousands of dollars to buy specialized 
devices and be at the mercy of the very few suppliers of such devices which tend 
NOT to deliver them to customers who paid them for extended periods of time, 
see Appendix of [6] . It appears that the democratic base of bitcoin has shrunk 
and the number of active miners has decreased. 

Nevertheless in spite of these entry barriers the income from mining remains 
essentially proportional to the hashing power contributed to the network (in fact 
not always, see [6, 12]). This is good news: malicious network participants which 

5 This period of incertitude is even much longer for large transactions: for example we 
wish to withdraw some 1 million dollars which is currently about 2200 bitcoins, we 
should probably wait for some 100 blocks or 10 hours. Otherwise it may be profitable 
to run the double spending attack which we study later on Fig. 7, page 21. 



do not represent a majority of the hash power are expected to have difficult time 
trying to influencing the decisions of the whole bitcoin network. 

In a first approximation it appears that the Longest Chain Rule works well 
and solves the problem of producing consensus in a very elegant way. Moreover 
it allows asynchronous operation: the consensus can propagate slowly in the 
network. In practice it is a bit different. In this paper we are going to challenge 
this traditional wisdom of bitcoin. In Section 6 and in later Sections 10 and 
II we are going to argument that more or less anyone can manipulate virtual 
currencies for profit. 

In fact we are not even sure if the Longest Chain Rule is likely to be applied 
by miners as claimed. This is what we are going to examine first. 

4.4 The Longest Chain Rule - Reality or Fiction 

This rule is taken for granted and it seems to work. However. We can easily 
imagine that it will be otherwise. There are several reasons why the reality 
could be different: 

1. We already have a heterogenous base of software which runs bitcoin and the 
protocols are on occasions updated or refined with new rules. On occasions 
there will be some bugs or ambiguities. This has already happened in March 
2013. There were two major versions of the block chain. For 6 hours nobody 
was quite sure which version should be considered as correct, both were 
correct. The problem was solved because the majority of miners could be 
convinced to support one version. Apparently the only thing which could 
solve this crisis was human intervention and influence of a number of key 
people in the community, see [4]. 

2. Open communities tend to aggregate into clusters. These clusters could pro- 
duce distinct major software distributions of bitcoin, similar to major dis- 
tributions of Linux which will make some conflicting choices and will not 
necessarily agree on how decisions can be made. For example because they 
promote their brand name and some additional business interests. We al- 
ready observe a tendency to set up authoritative bitcoin authorities on the 
Internet such as blockchain. info. Software developers are tempted to rely 
on these web services rather than work in a more "chaotic" fully distributed 
asynchronous way. People can decide to trust a well-established web service 
rather than network broadcasts which could be manipulated by an attacker. 

3. This is facilitated by the fact that bitcoin community produces a lot of open 
source software and free community web services. 

4. It is also facilitated by the fact that the great majority of miners mine in 
pools. Moreover they tend to "flock to the biggest pools" [6, 18]. Just one 
pool reportedly based in Ukraine was recently controlling some 45 % of the 
whole bitcoin network, see Table 2 in [6]. 

The pool managers and not individual miners are those who can decide which 
blocks are mined and which transactions will be accepted. The software run 
by pools is not open source and not the same as run by ordinary bitcoin 
users. In particular they can adopt various versions or exceptions from The 



Longest Chain Rule. In Section 8.1 we will propose further new ways for 
pool managers to attack the bitcoin network. 

5. More importantly participants could suspect or resist an attack by a powerful 
entity (which thing allows effectively to cancel past transactions and double 
spend) and they will prefer to stick to what their trusted authority says. 

6. Even more importantly these sub-communities of bitcoin enthusiasts will 
also contain professional for-profit bitcoin miners who can be very influential 
because for example they will be sponsoring the community. Their interest 
will be that their chain wins because they simply need to pay the electricity 
bill for it. If another chain wins, they have lost some money. 

We see that sooner or later we could have a situation in the bitcoin community 
such that people could agree to disagree. If one group have spent some money on 
electricity on one version of the chain, their interest will be to over-invest now in 
order to win the race. Over-investment is possible because there is always spare 
capacity in bitcoin mining which has been switched off because it is no longer very 
profitable. However the possibility to earn money also for previous blocks which 
money would otherwise been lost can make some operations profitable again. 
Such mechanisms could also be used to cancel large volumes of transactions and 
commit large scale financial fraud, possibly in combination with cyber attacks. 
This can be done in such a way that nobody is to blame and everything seems 
normal following the Longest Chain Rule. Losses will be blamed on users 
not being careful enough or patient enough to confirm their transactions. 

4.5 Summary: Operation in Normal Networks 

We have seen that bitcoin has been designed to operate in extreme network 
conditions. Most probably bitcoin could operate in North Korea or in Syria torn 
by war operations, or in countries in which the government is trying to ban 
bitcoin or is very heavily limiting the access of the citizens to fast computer 
networks such as the Internet. 

In contrast in the real life, the propagation in the global network of bitcoin 
client applications is quite fast: the median time until a node receives a block is 
6.5 seconds whereas the average time is 12.6 seconds, see [8, 9]. The main claim 
in this paper is that in normal networks the Longest Chain Rule is not only not 
very useful, but in fact it is sort of toxic and leads to increased risks of attacks 
or just unnecessary instability and overall slower financial transactions. 

Before we consider how to reform or replace the Longest Chain Rule, we look 
at the questions of monetary policy in bitcoin. Later we will discover that both 
questions are related, because deflationary policies erode the income of honest 
miners which increases the risk of for-profit block chain manipulation attacks, 
cf. Sections 10, 11 and 12. 



5 Deflationary Coins vs. Growth Coins 



It is possible to classify crypto currencies in two families: 

1. Deflationary Currencies in which the monetary supply is fixed 6 . For ex- 
ample in bitcoin and Litecoin. 

2. Growth Currencies in which the monetary supply is allowed to grow at a 
steady pace, for example in Dogecoin. 

Bitcoin belongs to the first family. This is quite unfortunate. In [20] we read: 

"This limited-supply issue is the most common argument against the 
viability of the new currency. You read it so often on the web. It comes 
up time and again" . 

In the following three subsections we look at the main arguments why a 
fixed monetary supply in bitcoin is heavily criticized. We need to examine the 
following four questions: 

1. comparison to gold, other currencies and commodities 

2. volatility 

3. miner reward vs. fees 

4. competition with other cryptocurrencies. 



5.1 Comparison to Gold Other Currencies and Commodities 

Bitcoin is frequently compared to gold and The Economist called it "Digital 
Gold" in April 2013, cf. [11]. However actually gold belongs to the second cate- 
gory: the worldwide supply of gold grows every year due to gold mining, with a 
yearly increase of the quantity of gold by some 0.5 - 1 %. In fact when bitcoin 
mandates a fixed monetary supply, ignoring the growth of the bitcoin economy, 
arguably we enter an area of misplaced ideology and monetary non-sense. If the 
economy grows substantially, the monetary supply should probably follow or the 
currency is not going to be able to make a correct connection between the past 
and the future. It is widely believed that business does not like instability. It is 
well known in traditional economics that deflation discourages spending, creates 
an expectation that prices would further decrease with no apparent limit. 

To the best of our knowledge, no currency and no commodity has ever had 
in the human history a totally fixed quantity in circulation. This is clearly an 
artificial property which makes that bitcoin is like no other currency and like no 
other commodity. This is expected to have very serious consequences and could 
be potentially fatal to bitcoin in the long run. 

6 These are also called Log Coins in [20] which is not quite correct because the mon- 
etary supply in bitcoin does not grow logarithmically. 



5.2 The Question of Volatility 



Here the argument is that basically deflationary currencies are expected to have 
higher volatility due to the existence of people holding large balances for 
speculation. In [16] Robert Scams claims that deflationary currencies lead to a 
"toxic amount of exchange rate volatility" providing yet another reason for users 
to "run away" from using these currencies as a medium of exchange. 

5.3 Miner Reward 

We need to recognize the role of miners in digital currencies. In [20] Scams writes: 
"The amount of capital collectively burned hashing fixes the capital outlay 
required of an attacker to obtain enough hashing power to have a meaningful 
chance of orchestrating a successful double-spend attack on the system [...] The 
mitigation of this risk is valuable, [...]" 

Now the deflationary currencies do with time decrease the reward for miners. 
This is highly problematic. In [20] citing J. Kroll from Princeton university we 
read: "If you take this away, there will be no incentive for people to keep con- 
tributing processing power to the system [...] "If the miner reward goes to zero, 
people will stop investing in miners,". Then the hash rate is likely to decrease 
and bitcoin will no longer benefit from a protection against double spending 
attacks, cf. Section 6. 

Moreover Kroll explicitly says that the problem is NOT solved by transaction 
fees and says: [...] You have to enforce some sort of standard payment to the 
miners, [...] change the system so that it keeps creating bitcoins. 

5.4 The Increasing Fees Argument 

The question of why fees are not enough to support miners has been brilliantly 
explained by Robert Scams in [16]. 

The argument is that basically sooner or later "deflationary currencies" and 
"growth currencies" will be in competition. Then all the other things being more 
or less in equilibrium, in deflationary currencies most of the profit from appre- 
ciation will be received by holders of current coins through their appreciation. 
Therefore less profit will be made by miners in these currencies. However min- 
ers control the network and they will impose higher fees. In contrast in growth 
coins, there will be comparatively more seignorage profit and it will be spent on 
hashing. Miners will make good profits and transaction fees will be lower. Thus 
year after year people will prefer growth currencies due to lower transaction fees. 

Overall we see that this is crucial question of how the cost of the infrastruc- 
ture necessary for the maintain a digital currency is split between new adopters 
(which pay for it through appreciation) and users (which pay through transac- 
tion fees. It is obvious that there exists an optimal equilibrium between these 
two sources of income, and that there is no reason why the creator of bitcoin 
would get it right, some adjustments will be necessary in the future. 



5.5 The Appreciation Argument 

There is yet another argument: it is possible to believe that bitcoin will appre- 
ciate so much that halving the reward every 4 years will be absorbed by an 
increase in bitcoin price. This means an extreme amount of deflation (double 
every 4 years) making it tempting to hoard bitcoins, which further decreases the 
amount of bitcoins in actual usage and makes people hoard bitcoins even more. 

We claim that this is very unlikely. This is mainly because the digital economy 
does not double every 4 years and does NOT grow by sudden jumps at the 
boundaries of the intervals arbitrarily decided by the creator of bitcoin. We 
refer to Part 3 of [5], Sections 10, 11 and 12 for further discussion and concrete 
examples of predicted and actual devastating effects of sudden jumps in the 
miner reward. 



6 Is The Longest Chain Rule Helping The Criminals? 



This section is the central section in this paper. We are going to show a simple 
attack which allows double spending. The attack is not very complicated and we 
do not claim it is entirely new. 

Our attack could be called a 51 % attack however we avoid this name because 
it is very highly misleading. There are many different things which can be done 
with 51 % of computing power, (for example to run a mining cartel [6] or/and 
cancel/undo any chosen subset of past transactions) and many very different 
attacks have been called a 51 % attack. We are in general under the impression 
that a 51 % attack is about holding more than 50 % of the hash power kind of 
permanently or for a longer period of time, while our attacks are rapid short-term 
attacks cf. Fig. 7 page 21. 

The main reasons why this attack has not been properly understood and 
studied before in bitcoin literature are probably as follows: 

1. There is some sort of intuitive understanding in the bitcoin community that 
the Longest Chain Rule solves all problems in this space, and there is simply 
no problem of this sort, and if there is, people naively believe that it is not 
very serious. In other terms nobody wants to admit that the creators of 
bitcoin could have created a system which has this sort of problem. 

2. People have wrongly assumed that bitcoin achieves very substantial comput- 
ing power which no one can match, which is still the case today however it 
is highly problematic to see if this will hold in the future. 

3. Great majority of people who discuss bitcoin make an implicit wrong as- 
sumption about a static nature of threats and attacks about bitcoin. We 
hear about 51 % attack etc and it seems that nobody except maybe the 
NSA could execute such an attack. 

In reality the notion of a 51 % attack takes a very different meaning in a 
cloud computing world: the attacker does not need to own a lot of computing 
power, he can rent it for a short time, and then 51 % attack can have a 
surprisingly low cost. 

4. The notion of 51 % attacks is also very highly misleading because presenting 
the hash power as a percentage figure does NOT make sense because the 
hash rate is measured at two different moments. Therefore the proportion of 
hash power used in attack is NOT a number between 0 and 100 %. It can 
easily be larger than 100 %. 

In fact the hash power at one moment can be 10 times bigger than a few 
minutes later, see Fig. 14 on page 37 for an actual historical example. 

5. It was also wrongly assumed that the bitcoin adopters are more or less the 
same as miners, they own the devices and the computing power cannot 
change hands very quickly. 

6. Many bitcoin adopters did not anticipate that in the future bitcoin will have 
to compete with other crypto currencies and that hash power could instantly 
be moved from one crypto currency to another. 



7. Many people did not predict that an increasing fraction of all available com- 
puting power is going to exist in the form of rented cloud miners. This is 
due to several factors. Investing in wholly owned mining equipment has been 
excessively risky, this is both due to the impossibility to know if and when 
miners will effectively be delivered (cf. Appendix of [6] and Section 2.4) and 
due to the price volatility. In contrast investing in rented capacity is nearly 
risk-free. Another reason is that some large investors may have over-invested 
in large bitcoin mining farms consuming many Megawatts of electricity (we 
know from the press that such facilities have been built in Sweden, Hong 
Kong, USA, etc..) and now they want to rent some parts of it in order to 
get immediate cashflow and return on their investment. 

Later we are going to see that this attack also gets worse with time due to 
the build-in monetary policy in bitcoin and that there will be sudden transitions 
because the monetary policy mandates sudden jumps in the miner reward (cf. 
also Part 3 in [5]). 

Our basic attack is self-explanatory, some attacker produces a fork in order 
to cancel some transaction [s] by producing a longer chain in a fixed interval of 
time, see Fig. 7 below. The attack clearly can be profitable. The question of 
actual feasibility of this attack is a complex one, it depends on many factors and 
we will amply study this and related questions later throughout in this paper. 
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Fig. 7. A simple method to commit double spending. The attacker tries to produce 
the second chain of blocks in order to modify the recipient of some large transaction(s) 
he has generated himself. Arguably under the right conditions, this is easy to achieve 
and clearly profitable. The only problem is the timing: to produce these blocks on time 
requires one to temporarily acquire very substantial computing power such as more 
than 51 % at the expense of other miners or other crypto currencies. 



In the following sections we are going to analyse the risks which result form 
this and similar attacks. 



6.1 Discussion 

Important Remark 1. The attack does NOT limit to defraud people who 
would accept a single large payment in exchange of goods or another quantity 
of a virtual currency (mixing services, exchanges, some sorts of shares). The 
attacker can in the same way issue a large number of small transactions and 
cancel all of them simultaneously in the same way. 

Important Remark 2. The most shocking discovery is that anyone can 
commit such fraud and steal money. They just need to rent some hashing power 
from a cloud hashing provider. Bitcoin software does not know a notion of a 
double spending attack and if it occurs possibly nobody would notice: only 
transactions in the official dominating branch of the blockchain are recorded 
in the current bitcoin network, cf. [10]. It may also be difficult to claim that 
something wrong happened: one may consider that this is how bitcoin works 
and the attacker has not done anything wrong. 

In a competitive market they do not need to pay a lot for this. Not much 
more than 25 BTC per block (this is because miners do not mine at a loss, the 
inherent cost of mining per block should be less than 25 BTC). The attacker just 
needs to temporarily displace the hashing power from other crypto currencies for 
a very short period of time which is easy to achieve by paying a small premium 
over the market price. 

There is another very serious possibility, that the spare hash power could 
also be obtained from older miner devices which have been switched off because 
they are no longer profitable (or a combination of old and new devices) . However 
they may be profitable for criminals able to generate an additional income from 
attacks. Given the fact that the hash rate increases steadily, cf. Fig. 3, it is quite 
possible to imagine that the hash power which has been switched off is very 
substantial and comparable in size to the active hash power. 

Important Remark 3. There is yet another way to execute such attacks: 
to offer a large number of miners a small incentive (as a premium over the 
market price) to go mine for another crypto currency, before the attack begins. 
This can lead to massive displacement of hash power before the attack starts. 
Then at the moment when block X+l is mined following the notations of Fig. 7, 
the double spending attack costs less. Further advanced attacks scenarios with 
malicious pool managers an which can easily be combined with this preliminary 
displacement of hash power are proposed and studied in Section 8.2. 

Important Remark 4. It is very important to understand that what we 
present on Fig. 7 is not an attack (yet) if (as it is currently the case) bitcoin 
is a dominating crypto currency. However it becomes an attack when bitcoin 
ceases to be a dominant crypto currency. It already is an attack on many existing 
crypto currencies cf. for example Section 10 and 11. 

The ONLY thing which makes that this attack is not feasible in practice on 
bitcoin itself at the moment of writing, is that bitcoin remains the dominating 
crypto currency and commands more hash power that all other currencies com- 
bined. It appears that bitcoin could claim to be a sort of natural monopoly: it 
is able to monopolize the market and its competitors find it hard to compete. 



Important Remark 5. Things are expected to considerably change in the 
future for bitcoin. We do not expect bitcoin to remain dominant forever. Here is 
why! Unhappily due to the cost of adopting bitcoin as a currency (the necessity 
to purchase bitcoins which have already been mined at a high price) one cannot 
prevent users from creating their own crypto currency. Gold does not give people 
and major countries any choice: some countries have gold mines or gold reserves, 
others don't. Digital currencies put all the countries and all the people at an equal 
footing. There will be always a large percentage of the population which will not 
be happy about the distribution of wealth and will try to promote a new crypto 
currency which gives (new) investors a better chance than having to buy coins 
already mined by other people. 

The fact that bitcoin is expected to lose its dominant position is also due to 
another factor, built-in decreasing returns for miners and the predicted conse- 
quences of this fact, see Section 5. 

Summary. Overall we get a combination of factors which are expected 
to lead to a rapid transition: from bitcoin being secure to bitcoin becoming 
vulnerable. For many crypto currencies all these things are already happening, 
see Section 10 and 11. The question whether it can also happen to bitcoin and 
what might be further consequences of it is further studied in Section 12. 



7 An Alternative Solution For Double Spending 

In this paper we heavily criticize the longest chain rule of Satoshi Nakamoto. 
A single rule which offers apparent elegance and simplicity and regulates two 
things at one time. It is responsible for deciding which freshly mined blocks are 
"accepted" and obtain monetary reward and at the same for deciding which 
transactions arc finally accepted and are part of the official common history 
of bitcoin. However as we have explained before, it is problematic to solve both 
problems with one single "blunt" rule, there is NO REASON why the same 
mechanism should govern both areas. It should be possible to design a 
better mechanism in bitcoin. 

7.1 Desired Characteristics 

Let us examine what kind of solution would be desirable. 

1. Earlier transactions should be preferred and as time goes by it should be 
increasingly difficult to commit double spending. 

2. Instead of instability and all or nothing behavior where large number of 
transactions could be put into question, we should get stability and conver- 
gence. 

3. Relying parties should get increasing probabilistic certitude that the trans- 
action is final as times goes by, second after second. 

4. Unique transactions which spend some quantity [ies] of money in bitcoin 
should be always accepted with very large probability. 

5. Double spending transactions should simply be resolved on the basis of ear- 
lier transaction, if one transaction is much earlier than the other. 

6. Only in rare cases where competing transactions are emitted within a certain 
time frame there could be an ambiguity about which transaction will be 
accepted. 

We should also ask the question that maybe no transaction should be ac- 
cepted in this case, as it would show in a short time that either the payer is 
trying to cheat or his private key has been compromised. 

7. In particular though it is possible and does not cost a lot to rewrite bit- 
coin history in terms of which blocks get the reward, it should be somewhat 
STRICTLY HARDER and/or cost more (the exact criteria to be deter- 
mined) to rewrite bitcoin history in terms of who is the recipient of moneys. 

8. Even though miners can produce competing blocks and no one can decide 
which block obtains the reward later, all blocks are likely to include the same 
transactions. 

9. There should also be some protection against spam or DOS attacks: it should 
be difficult to jam the P2P network with too many transactions. 

10. People who deliberately execute attacks on the bitcoin network should pos- 
sibly be punished rather than be rewarded or get away with it. 
How exactly this can be done is not totally obvious, however it appears that 
bitcoin does not really provide an optimal solution and we need to propose 
something better. We are not going to claim to provide the ultimate solution. 
This is expected to be a solution better than status quo, subject to further 
improvement and detailed tuning to adapt it to the realities of bitcoin. 



7.2 Proposed Solution 



It surprising to discover that Satoshi did NOT introduce a transaction 
timestamp in bitcoin software. It is NOT known WHY neither the original 
creator of bitcoin nor later bitcoin developers did not mandate one. This could 
can be seen as an expression of misplaced ideology. Giving an impression 
showing that maybe the Longest Chain Rule does solve the problems in an 
appropriate way. Unhappily it doesn't. 

Currently an approximate timing of transactions is known in the bitcoin 
network, it comes from the number of block in which a given transaction is 
included: this gives a precision of approx. 10 minutes. Transactions without a 
fee could be much older than the block. However all blocks are broadcast on the 
network and it is very easy for the bitcoin software to obtain more precise timing 
of transactions with a precision of 1 second, maybe better. A number of web sites 
such as blockchain. inf o are already doing this: they publish timestamps for 
all bitcoin transactions which correspond to the earliest moment at which these 
transactions have been seen. 

A preliminary remak is that in the current bitcoin system, each quantity of 
bitcoins such as created or attributed to a certain public key by some previous 
transaction, can be used only once. There should be at most one digital sig- 
nature which transfers this quantity to another set of public keys (there can be 
multiple recipients for each transaction). Two distinct signatures indicate double 
spending 7 . 

Then the solution is quite simple: 

1. In case of double spending if the second event is older than say 20 seconds 
after the first transaction, the first transaction will simply be considered as 
valid and the second as invalid. This based on the earliest timestamp in 
existence which proves that one transaction was in existance earlier. 

This seems reasonable knowing that the median time until a node receives 
a block is 6.5 seconds cf. [8, 9]. 

The implementation of such a mechanism is not obvious and will be dis- 
cussed separately below. However it seems that it could be left to the free 
market: several mechanisms could function simultaneously. For example one 
can immediately use timestamps published by blockchain. inf o and simul- 
taneously use timestamps from other sources. 

For solutions which would prevent various bitcoin web servers from manip- 
ulating these time stamps we will need to propose additional mechanisms, 
such as secure bitstamps or additional distributed consensus mechanisms. 
We will develop these questions in another paper. 

2. In case of double spending if both events come within at most 20 seconds 
of each other, miners should NOT include any of these transactions in block 
they mine. Some miners can nevertheless accept a transaction because they 
have only received one of the two transactions, or because they are trying to 

7 Things get more complicated with transactions which contain multiple signatures, 
cf. also transaction malleability attacks [10] 



cheat. Then their block could simply be invalidated because they have not 
been careful enough about collecting all the transactions which have been 
around. For honest miners this would occur with small probability. 
Yet it makes sense to make miners responsible for policing this: this is because 
miners are fewer than ordinary network nodes and mine in pools which are 
expected to help them to do it right. 

In other terms a mined block could be considered as invalid if it only includes 
one transaction while two were already in existence say 20 seconds before it was 
produced AND if these transactions were close in time. If one was much earlier, 
it could be included. Again this decision on whether to include or not a given 
transaction could be decentralized. 

All this requires some form of timestamping and some security against ma- 
nipulation of these timestamps to be implemented than in the current software, 
either by consensus or secure timestamps. 

An alternative to timestamps could be a pure consensus mechanism by which 
numerous network nodes would certify that that they have seen one transaction 
earlier than another transaction. This can be very easy done: we can re- use shares 
which are already computed by miners in vast quantities or select only certain 
shares with a sufficient number of zeros. We could mandate that if transactions 
are hashed in a certain order in a Merkle hash tree, it means that this miner 
have seen certain transactions earlier or another similar mechanism assuming 
that the majority of miners are honest. 

Discussion: This it NOT yet a full solution. It requires further work to 
specify and analyse if it does the job reasonably well and if it does not lead to 
new attacks. 

Remark: This solution is not an urgent need for larger crypto currencies 
which enjoy a dominant position and command a lot of hash power. They can 
probably survive for years without it. It is however vital for all small crypto 
currencies which are subject to risk of very rapid self-destruction if it is not 
applied, as shown in this paper. 

Enhancements: Probably we need to require more than a timcstamp for all 
bitcoin transactions. We could also require timestamps for all individual signa- 
tures. A digital signature gives security guarantees which answer two questions: 
Who? (signs) and What? (is signed). A digital signature which includes a times- 
tamp which also answers the question When? (the transaction was authorized). 

Limitations: A major factor which is expected to affect the development 
and adoption of solutions to our problem is the size of the blockchain in bitcoin 
which is stored at every full network node and takes about 14 gigabytes. 



8 Hidden Attacks: How To Abuse Miners 
8.1 A Small But Important Technicality 

We examine the process of double hashing which is used in bitcoin mining ac- 
cording to [5]. 
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Fig. 8. The process of bitcoin mining according to [5]. 



One thing jumps to our attention [we thank Lear Bahack for observing this 
fact independently, though we have observed that many months earlier]. The 
miners do NOT need to know on which block they are mining: they do NOT 
need to know the value of hashPrevBlock which computation is amortized over 
many has operations and the value of BO changes very slowly. They only need 
to know the value BO which will be computed for them by the pool manager for 
them. Miners can be made to mine without any precise knowledge about 
which block they are mining for. 

Only an excessively small number of miners, will actually manage to find a 
winning block: only a very small proportion of about 2~ 32 of all shares found 
by miners are winning shares. Only these miners can know on which block they 
have mined and they will know it from the public data in the blockchain. 

Thus pool managers CAN implement arbitrary subversive strategies, for ex- 
ample accept certain transactions only to overthrow them within less than one 



hour and accept another transaction with another recipient. Nobody will no- 
tice: miners will never know that they have been involved in some major attacks 
against bitcoin such as producing two different versions of the blockchain in order 
to double spend some large amount of money. 

Remark 1. Moreover even those miners who have produced winning blocks 
and therefore will be made aware of the previous block on which they have 
been mining, still cannot claim they have participated in some sort of attack. 
Fork events do happen in the bitcoin network. Only overall higher frequency of 
fork events mined by one large pool could suggest that some attacks have been 
executed by that pool, however the pools can execute such attacks just within 
the limits of the standard deviation 8 and never attract any attention. 

Remark 2. It is also possible to see that even with the knowledge of all 
recent transactions from the network and with the knowledge of HO, it is not 
possible to guess how exactly the Merkle root hash is composed. We are talking 
about preimage (inversion) attacks starting from HO aiming at guessing which 
hashPrcvBlock was used to produce this HO. This is because the number of 
combinations is too large. For example the number of ways to permute the order 
of 100 transactions is already more than 2 500 . 

8.2 Miner Hidden Abuse Attack Across Currencies 

The same attack works across digital currencies. Some miners think that they 
mine bitcoin, while in fact they are made to mine Unobtanium, and vice versa. 
All this is the discretionary power of the pool manager, this is due to the fact 
that one can mine only knowing HO and most of the time no other information is 
disclosed to miners. In rare cases miners could discover that they found a block 
for another crypto currency which they have never mined. In practice miners 
do NOT store vast quantities of HO values with which they have mined. Miner 
devices do NOT have enough memory to store them. 

8.3 Further Manipulation Scenario With Deflected Responsibility 

Our attack can also be made to work in the scenario in which it is not possible 
for the attacker to corrupt pool managers. It can be run in a different way in 
which pool managers are going to corrupt themselves and there will be no reason 
to accuse them of acting with any sort of malicious or criminal intention. 

Basically it is possible for an attacker to manipulate the price of a small 
crypto currency such as Unobtanium to be 10 % MORE profitable than bit- 
coin mining (typically such currencies are in a sort of equilibrium situation in 
which the profitability is similar as for bitcoin). Then we can hope that the 
pool managers themselves are going to implement code to switch to this crypto 
currency for a short time (real-time switching mechanism mining for the most 
profitable currency at the moment). If not, the attackers can themselves release 
open-source code of this sort in order to encourage the adoption of this sort 



Standard deviation is excessively large mining events which are quite rare, cf. [6]. 



of gain optimization techniques among pool managers. Pool manager can now 
re-direct 100 % of the hashing power they command to another entity. They are 
NOT going to tell this to miners and simply pocket the difference, and they will 
still pay miners in bitcoins. Again, there is in principle no way in which miners 
could sec the difference. 



9 Towards A Theory of Programmed Self-Destruction 

In this section we are going to try to combine all the elements which we have 
studied so far in order to see what is the overall landscape. We can now formulate 
a certain theory or set of claims about the predicted future of crypto currencies, 
based on what we learned. 

Our main claim is that the combination of three things: 

1. the longest chain rule, 

2. deflationary monetary policies which heavily limit the production of new 
coins (with or without sudden jumps in miner reward), 

3. and a competitive environment where hash power can shift rapidly from one 
coin to another, 

is a fatal combination. It leads to predicted destruction of crypto coins. 

On Fig. 9 we summarize again the main premises in our theory and also try 
to show some additional influencers. 
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Lack of effective protection against double spending, sudden shocks and predicted decline or/and 
self-destruction of crypto currencies. Dominating (monopoly) currencies possibly exempt. 



Fig. 9. Theory of programmed self-destruction of crypto currencies: major factors and 
influencers which are also the main premises of our theory. 



The remaining part of the paper will be a study of particular use cases. Does 
our theory work? Does it allow us to understand the past and and somewhat 
predict future of various crypto currencies? 



10 Case Study: Unobtanium 



Unobtanium is a clone of bitcoin which is in operation since October 2013 (cf. 
unobtanium. io). Unobtanium uses SHA256 and can reuse bitcoin ASICs for 
mining, and it has a non-negligible value. In March 2014 it was worth some 
0.01 BTC which at the current hash speed made Unobtanium mining roughly as 
profitable as standard bitcoin mining, (note: later in April 2014 the profitability 
of UNO mining has declined). It is traded at several exchanges. Transactions 
are substantially faster than bitcoin: blocks are generated and transactions are 
confirmed once per 1.24 minutes instead of every 10 minutes for bitcoin (it is 1.24 
minutes and not 3 minutes as reported incorrectly by many sources). At the first 
sight this currency seems therefore a quite promising clone of bitcoin and the 
current market value of all Unobtanium in circulation is roughly about 0.5 million 
dollars. On the official web page unobtanium. io we read that Unobtanium is 
expected to be "the cryptocurrency for serious traders" and that "Unobtanium 
is safe" . At the first sight we see no problem with this currency whatsoever apart 
from the fact that there are very few actual transactions in the blockchain. 

Unobtanium is quite rare: only 250,000 will be ever made, and the production 
of new currency is halving every 2.88 months which is incredibly fast. There 
are only a few halving periods however, and in September 2014 the miner reward 
settles forever at a surprisingly small value. 



Table 1. The Unobtanium Reward 



blocks 


approx. dates 


UNO/block 


1 - W2K 


18 Oct 2013- 


1 


102K - 20AK 


15 Dec 2013- 


0.5 


204K - 3QQK 


12 Feb 2014- 


0.25 


300K - 408K 


4 April 2014- 


0.125 


322,050 


-today- 


0.125 


4087f - 510A" 


5 Jun 2014- 


0.0625 


510K - &\2K 


1 Aug 2014- 


0.03125 


Q12K- 


after 29 Sep 2014 


0.0001 



In fact this crypto currency smells programmed self-destruction. 

At the moment of writing some 2/3 of all coins were already made. In March 
2014 the current price of Unobtanium (UNO) was about 6 USD and we again Un- 
obtanium mining was roughly as profitable as standard bitcoin mining. However 
because Unobtanium uses the same SHA256 ASICs as in bitcoin mining, the 
computing power (hash power) can shift in both directions instantly. In partic- 
ular the computing power in Unobtanium currency is NOT growing, it is rather 
declining. 

10.1 Double or Die 

When the next rewards block halving comes in April, the price of UNO needs 
to be at 12 USD in order to keep mining equally profitable (cf. later Theorem 
11.1 page 35). Then in June it would need to become 24 USD, then in August it 



would need to become 48 USD. Such rapid appreciation at an exponential rate 
is unlikely to happen and the hash rate must decline accordingly, until mining 
becomes profitable. 

10.2 The Self-Destruction of Unobtanium 

100.00000 Th/s - 
80.00000 Th/s 
60,00000 Th.'s 
40,00000 Th f; 
20,00000 Th/s 
0,00000 Th/s 

11/2013 04/12/2013 18/12/2013 01/01/2014 15/01/2014 29/01/2014 12/02/2014 26/02/2014 12/03/2014 26/03/2014 10/04 

Fig. 10. The growth and decline of UNOBTANIUM hash power in the last few monts. 
we observe sudden (speculative?) jumps and periods of intensive mining followed by 
steady decline in days following each block halving date (15 Dec and 12 Feb) in the 
hash power 

On Fig. 10 we see that miners are already running away from this crypto 
currency. This happens in sudden slumps as predicted. There is important decline 
in the hash rate which occurs some a few days after block halving dates after 
some sort of short period of instability. We see that the process of rapid self- 
destruction has already started for this crypto currency 9 . 

Unobtanium is a crypto currency which is already destroying itself. It is 
bound to always have very small market cap, which implies small anonymity 
and small adoption. In bitcoin the decline in mining profitability could be com- 
pensated by massive adoption and fees, and miners do not have a better crypto 
currency to escape to. Here the adoption as a payment instrument is close to 
zero, fees are zero and miners have very good alternatives to switch to. 

10.3 A Kill Switch 

There is much worse than that. After 29 September 2014 the miner reward is 
going to be divided by 312.5 overnight. Then if we want the mining prof- 
itability to be the same as today and the hash rate not to decline, the price 

9 We claim that similar periods of decline are hash power are also likely to happen for 
bitcoin, though not before 2015/2016 see Section 12, and more quickly for Dogecoin, 
at several moments during 2014, see Section 11. 




of UNO would need to be 15,000 USD each to compensate for that again (or 
mining will not be profitable and hash power protection will go elsewhere). This 
would make UNO achieve a market capitalization of about 4 billion dollars from 
0.5 million today. Unbelievable 8000x growth in a few months. 

Of course it obvious that this is not going to happen. We expect rather that 
there will be a very fast outflow of hash power at each reward halving (cf. Fig. 10) 
until we reach again an equilibrium situation where again mining Unobtanium 
will be as profitable as mining bitcoin. Overall on and before 29 September 2014 
we predict very rapid spectacular collapse in Unobtanium hash power. 

Of course at the same time there can be some appreciation of Unobtanium 
due to their increasing rarity and increased popularity, however this appreci- 
ation is unlikely to happen by sudden jumps, and it is obvious that it cannot 
achieve 100% appreciation every 3 months and 30,000 % appreciation (300 times 
increase) on one single day in September. 

10.4 Further Decline? 

Our prediction is that the hash power in Unobtanium will decline to a ridicu- 
lously small value (for example lOOOx smaller than today). If we assume (being 
VERY conservative and optimistic) that Unobtanium miners mine at the same 
profitability threshold as bitcoin miners, and if UNO pays less miners would 
switch to bitcoin, following Table 1 in September 2014 the hash rate is going to 
be at most 1250 times lower than the peak of 80,000 TH/s of February 2014. 
This is at most 70 TH/s. In September 2014 anybody should be able to execute 
a 51 % attack on Unobtanium. For example we can estimate that in order to 
execute the attack of Section 11.5 based essentially on Fig. 7 which is expected 
to last only about 5 minutes, the attacker needs to rent 35 TH/s of SHA-256 for 
about 5 minutes. It is easy to see that this will cost only a few dollars. 

A decline in hash power will inevitably lead to several major problems: 

— It will become easy to double spend older coins, there will be permanent 
for-profit criminal activity (cf. also Section 11.5). 

Yes in September 2014 it will cost only a few dollars to execute a 
51 % attack on Unobtanium. 

— It will become easy to run a "mining cartel attack" only accept blocks mined 
by members of a certain group, cf. [6]. 

— A sudden collapse of this crypto currency will probably occur much earlier, 
as soon as any of these two starts happening, totally destroying confidence 
of investors and users in this crypto currency. 

Remark. It is clear that Unobtanium is in trouble, and later in April 2014 we 
observed that the profitability of UNO mining has declined and apparently some 
miners are artificially sustaining it and accept to mine with lower profitability, 
probably in a bid to avoid total collapse of this currency. We also observed on 28 
April that the official web site for Unobtanium is not even displaying the current 
hash rate anymore for the second half of April. 



11 Another Case Study: Dogecoin vs. Litecoin 



In this section we we look at two currencies Litecoin (long time established) and 
Dogecoin (started end of 2013) which are quite comparable 10 . Both currencies 
use the same hash function (SCRYPT) and they have historically known com- 
parable hashrates. The hash power can move freely and it is possible to see that 
throughout most of the recent history of Dogecoin EACH currency could be 
used to attack each other with a 51 % attack. We are going now to show 
that this "symmetric" situation is changing very rapidly, and we will attempt to 
predict the future of these currencies. 
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Fig. 11. DOGE hashrate compared to LTC hashrate in the last 6 months 

Dogecoin is a newcomer which has challenged the incumbent Litecoin very 
seriously in terms of achieving a higher hash rate at moments. However the 
market capitalization of Litecoin remains at least 8 times bigger (300 M USD 
vs. 37 M USD at the moment of writing). This is because Litecoin has been 
mined for longer and more people hold some balances in Litecoins. 

11.1 Block Halving and Programmed Self-Destruction of Dogecoin 

In Litecoin no block halving is planned until 30 August 2015, then the reward 
is halved, and then the reward remains stable until 2019. Then it has countless 
block halving events programmed over a period of some 100 years. 

In Dogecoin block reward halving events are only very few but they are all 
planned to occur very soon at the very early stage of existence of Dogecoin in 
the coming months of 2014. Important events are unfolding before our eyes. 

In excessively short time after its creation, Dogecoin has been able to achieve 
a comparable and even higher hash rate than Litecoin. This has lasted until 

10 There was a very strong asymmetry between bitcoin and Unobtanium, bitcoin was 
always many thousands of times larger and it was never able to challenge bitcoin in 
any way 



March 2014 cf. Fig. 11. On this figure we also observe very strong negative 
correlation between the two hash rates. When one goes up, the other goes down, 
the sum is nearly constant at times. We take it as a strong evidence that the hash 
power has already been shifting in both directions between these two currencies. 

Then on 17 March 2014 the reward was halved cf. Fig. 12. At this moment the 
hashratc in Litecoin has immediately adjusted and switched to another curve, 
very precisely in days following 17 March 2014, cf. Fig. 11. This ratio has then 
been quite stable with the hash rate of Dogecoin remaining at or below half of 
the hash rate of Litecoin. 

In this paper we claim that this is strict mathematics. When the reward 
halves, miners will either see the value of Dogecoin double or a fraction of miners 
will switch and mine for a competing crypto currency. More precisely miners will 
be leaving this crypto currency until a new equilibrium is reached: less miners 
will be there to share the new (decreased) reward and therefore the profitability 
of their mining operations will be restored. We have the following result: 

Theorem 11.1 (Law Of Decreasing Hash Rates). If the miner reward of 
crypto currency is decreased 2 times and the market price remains the same the 
hash rate will be divided by 2 approximately. 

Dogecoin has failed to appreciate 2x in value, therefore the hash rate must 
decrease 2x. n We will see this happen again on Fig. 13. 
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Fig. 12. Programmed sudden jumps in DOGE block reward 



A few more successive block halving events in Dogecoin are programmed 
every 69 days leading to rapid decline in hashing power. This is again unbe- 
lievably fast speed for a financial asset, not less crazy than with Unobtanium 
cf. Section 10.1. 

11 The same phenomenon of rapid decline in hash rate at moments of block halving, 
was also observed with Unobtanium currency, cf. Fig. 10 in Section 10.1. 



11.2 How Vulnerable Is DogeCoin? 

In this paper we show that Dogecoin is threatened by the 51 % attack in more 
than one way. For example because in April 2014 it was reported that one single 
pool in DogeCoin was controlling 50.3 % of the network hashrate http://www. 
reddit . com/r/dogecoin/comments/22j0rq/ waf f lepool_currently_controls 
503_of _the_network/ . Moreover the pool managers can execute attacks with- 
out the knowledge of miners, see Section 8.1. However bigger threats come from 
the fact that the hash power in Dogecoin is declining and the hash power avail- 
able outside Dogecoin is becoming many times larger than the whole of Dogecoin, 
knowing that the hash power used to mine for one currency can be reused (with 
our without the knowledge of the miner) to mine for another currency, cf. Section 
8.2. 

11.3 Latest News: Decline Under Our Eyes 

The latest Dogecoin halving event has occurred on 28 April 2014 at 14:32. 
Our theory predicts that at this moment either Dogecoin market price goes 
up abruptly (not very likely) or the hash power should be then divided by 2 in a 
short time. At this moment Dogecoin capability to be protected against double 
spending attacks will be seriously affected. 

In order to verify if our theory is exact, we have observed the hash rate of 
Dogecoin at dogechain . info in the hours following the block halving on 28 April 
2014. We have observed exactly what we expect: a decline to achieve roughly 
half of the previous hash rate. We were in fact surprised by the rapidity of this 
decline. 
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Fig. 13. Rapid decline in DOGE hash rate in hours after block halving. 



In a few hours the Dogecoin hash rate has declined below 50 Gh/s while AT 
THE SAME time one single miner had 21.70 GH/s http://wafflepool.com/ 



miner/ 14t8yB3PDGfZT3VppxMY4J9xiBaXUcZvKp, which data are updated every 
15 minutes. 



11.4 Is Dogecoin Under Attack? 

At one moment at 15h44 we have actually observed that the hash rate went 
down to 40 GH/s for a short moment and conditions for a 51% attack have been 
met. One single miner had 51 % for a short while. 

At another moment we have observed that the hash rate has increased 10 
times in a very short time, see Fig. , and went back to normal few minutes later. 
We do not know if this was an attack on Dogecoin of the precise sort we study in 
this paper, and we do not know how much the data reported by dogecoin. info 
are reliable. The peak hash rate of 548 TH/s shown at this moment seems too 
large to be true and would exceed the hash rate of Litecoin. 





|R.esei; zoof 








— r 

— \ 



n i ! i i i i 1 

18:00 21:00 28. Apr 03:00 06:00 09:00 12:00 15:00 



Fig. 14. A rapid increase in DOGE hash rate observed in hours after block halving. 



11.5 Near Future - Is There A Criminal Business Case? 

It is easy to show that Dogecoin can hardly survive in the current form. 

After April 2014 there will be a few more periods in which the block reward 
will be halved after 69 days, cf. Fig. 12, and accordingly the hash rate is also 
expected to decline twice at each moment. Overall we expect that at the end 
of 2014, the hash rate of Dogecoin will be already some 32 times smaller than 
what it was in February 2014, when it was equal to that of Litecoin. We expect 
that very soon Dogecoin will become a perfect target for criminal activity 
where money can be made easily. Let us discuss if this is really plausible. 
We restrict to the question if double-spending attacks will be feasible. 

It has already happened on April 28 that ONE SINGLE MINER had enough 
hash power in order to execute a double spending attack. The worst is however 
yet to come. We claim that in the coming months it will be possible for criminals 



to execute double spending attacks with much lower investment. Here is one 
possible way for an attacker to proceed: 

— The attacker needs an initial amount of say 10 times the amount of money 
mined in one block, currently about 10x120 USD, he needs about 1200 USD. 

— He sends 600 USD to some recipient and keeps 600 USD for the cost of doing 
the blockchain manipulation. 

— He executes the attack as on Fig. 7 page 21 and spends 600 USD on mining. 

— The attack will be feasible as soon as a certain fraction of hash power in 
Litecoin is available in hosted cloud mining. It should be at least 51 % of 
Dogecoin hash rate which is going to become very easy in the coming months 
due to very rapid decline in the hash rate predicted due to Table 12. 
There is also another even more subversive scenario in which pools automat- 
ically provide computing power to the attacker, without the knowledge of 
miners and without the knowledge of pool managers, see Section 8.3. 

— He is then able to spend his 600 USD again as on Fig. 7. 

— The net profit in this attack is 600 USD and it takes about 5 minutes. 



11.6 Better Prospects For Dogecoin in 2015? 

Let us assume that Dogecoin survives until 2015, and it is not destroyed by mas- 
sive outflows of capital, double-spending attacks and serious for-profit blockchain 
manipulation or a mining cartel attack, which will be very surprising. 

The the situation is expected to stabilize in 2015. After January 2015: there 
will be no more reward halving in Dogecoin. There will be a steady production 
of new coins and progressive but infinite growth of monetary supply. 

— 98 billion coins will be released by January 2015. 

— Then some 5.2 billion more coins will be produced each year. 

It is like a 5 % increase in the monetary supply in the first year, slightly less 
in the coming years. 

Unhappily at this moment the hash rate of Dogecoin will be maybe 50 times 
lower than in Litecoin, which is what we expect from Table 12. It will be difficult 
for Dogecoin to compete with Litecoin. It is expected to remain permanently 
weaker, and if the specification is not changed, it will become a permanent target 
for profitable criminal activity, as shown above. However the Dogecoin developers 
can apply some fixes such as proposed in Section 7.2 and their currency will be 
able to function correctly in spite of having a low hash rate. 

11.7 The Improbable Revenge of Dogecoin in the Long Run 

Ironically it is possible to see that in the long run, like after 10, 20 or 30 years, 
Dogecoin hash rate should again exceed that of Litecoin, this is if they are still in 
existence at that moment and their miner reward policies are not reformed. This 
is because the monetary supply of Litecoin is fixed, and the monetary supply 
of Dogecoin is unlimited. In the long run, Litecoin will see the profitability of 



mining halved many times, while it is expected to remain relatively stable in 
Dogccoin. Accordingly we expect that the hash rate of Litecoin will in turn 
decrease at certain moments (every 4 years, next halving expected in August 
2015). This process is expected to take a lot of time, probably many decades 
because Litecoin is more popular than Dogecoin, and some of the decreased 
income for miners could be compensated by the slow appreciation of Litecoin 
and higher amount of transaction fees collected in Litecoin. 



12 Future of Bitcoin: Is Bitcoin Strong Enough to Avoid 
Programmed Decline? 



Now we are going to speculate about privileged moments in time at which bitcoin 
could see a decline in its hash rate. The next block reward halving in bitcoin is 
predicted to happen on 22 August 2016 according 12 to bitcoinclock.com. 

We predict that a major crisis of bitcoin digital currency could occur at this 
moment. In fact however it does not have to be so. we predict that bitcoin will 
be in trouble only if some preliminary conditions 13 are also met at this date: 

1. If bitcoin mining has sufficient competition by that time, 

2. If miners are willing and able to reprogram their ASIC machines to mine for 
other competing crypto-currencies, 

3. If overall mining market outside of bitcoin will be large enough to provide a 
better mining income in a sustainable way: even if there is a massive transfer 
of hash power from bitcoin to these alternative crypto currencies. 

4. If bitcoin specification is not changed (cf. changes proposed in Section 7.2). 

Then we predict that at this next bitcoin block reward halving (in or before 
August 2016), the hash power will massively shift to other crypto currencies. 
This could possibly destroy the reputation of bitcoin as it might suddenly become 
vulnerable to 51 %-like attacks such as described on Fig. 7 page 21. We stress 
that such transition could happen nearly overnight, on some day in 2016. 

12.1 Possible Consequences 

At a certain moment in the future we predict a rapid transition to occur and 
bitcoin becoming vulnerable attacks. We expect that such a transition can lead 
to a rapid decline of bitcoin as people can switch to other competing crypto 
currencies very quickly as soon as double spending suddenly becomes feasible 
to execute in bitcoin. More importantly, merchants would probably all of the 
sudden stop accepting any bitcoin payments whatsoever (the tipping 
point). This would be as soon as it becomes profitable to commit double spending 
attacks and therefore it will become very risky to accept any bitcoin payments 
(as they can be reversed later). 

12.2 Counter Arguments 

It is very difficult to predict the future. How can we claim that a 50 % 
reduction in mining income will make miners massively quit bitcoin mining? This 
seems to be in contradiction with recent bitcoin history. In fact the actual reward 

12 However this is subject to some known irregularities and imperfections in the auto- 
matic difficulty adjustment mechanism of bitcoin. It is known that the bitcoin clock 
have been accelerating. Some authors claim the block 420,000 and the block reward 
halving will happen at up to 1 year earlier, maybe in May 2016, maybe as early as 
September 2015, see https://bitcointalk.org/index.php?topic=279460.0. 

13 See also Fig. 9 page 30. 



for every existing bitcoin mining machines HAVE BEEN divided by two 

countless times already. For example it was divided by two NEARLY EVERY 
MONTH in the last 12 months, see Fig. 3. Yet people did NOT go to mine for 
other crypto currencies at a massive scale. There was no important displacement 
of hash power, though certainly there was some (which works in both directions, 
many miners people also switched from other currencies back to bitcoin mining, 
see Fig. 10). Overall the majority of people kept mining bitcoins as usual. 

The reason why miners did not stop mining bitcoins is that miners had no 
choice so far. No plausible alternative to switch to. 

12.3 Decline or Persistent Domination? 

We observe that until now there was not a sufficiently strong SHA256-based 
bitcoin competitor to switch to (LitcCoin docs not apply). As long as bitcoin 
remains a dominant monopolist crypto currency, our predictions about decline 
of bitcoin simply do NOT work. 

Now we anticipate that sooner or later competition to bitcoin will be there. 
One or several SHA256-based crypto currencies will be able to provide higher 
returns for miners contributing raw hash power. 

Remark. This is more than just an opinion. We believe that in the future 
one should be able to develop a sort of economic theory which shows that this 
is very likely to happen as already explained in Section 5 as a predictable con- 
sequence of several contributing factors: current monetary and reward policies 
which erode the miners' income 14 with important and sudden jumps 15 , com- 
petitive markets 16 and other factors 17 including precisely their yet lower level of 
protection for some currencies 18 . 

14 One argument for this (due to J. Kroll) was that bitcoin reward policy is NOT 
generous enough and does NOT reward miners well enough in the long run, see 
Section 5.3. 

15 Such sudden jumps have no justification whatsoever, they can only be harmful. They 
are NOT justified even if we keep the premises of fixed monetary supply, see Part 3 
of [5]. 

16 When mining becomes less profitable miners are going to increase transaction fees 
which is going to seriously affect the adoption of bitcoin as a medium of exchange, 
see Section 5.4. 

17 We can also argue that one of the reasons why bitcoin has attracted such a growth 
was the expectation it will raise a lot, which is due to built-in unreasonable de- 
flationary monetary policy. Then once bitcoin have achieves the peak of possible 
appreciation, possibly already in 2014, other crypto currencies with "more reason- 
able" policies and settings in the sense of Section 5, are likely to emerge as obvious 
challengers and drive bitcoin out of business. 

18 Additional important shifts in hash power could occur because several criminals 
might simultaneously be trying to exploit all other SHA256-based crypto currencies 
in which double spending attacks will be easier to execute by displacing hash power 
rapidly in both directions, also possibly playing with automatic difficulty adjust- 
ments in these currencies at the same time. 



13 Summary and Conclusion 

Bitcoin has a number of features and properties which are sometimes presented 
as very interesting and positive. In fact they are highly problematic and there 
are rather engineering mistakes and early sins of bitcoin digital currency. More 
importantly, these features have been copied by other currencies, so called alt- 
coins. We are presented with software systems which are claimed to be payment 
systems and currencies. Therefore people expect that they will be relatively sta- 
ble and that they are protected against attacks. In reality serious problems are 
programmed right there in the DNA of these currencies. Sudden jumps and rapid 
phase transitions are programmed at fixed dates in time and are likely to 
ruin the life of these currencies. In this paper we show that most crypto curren- 
cies simply do NOT have ANY protection against double spending. More 
precisely the current protection is flawed or/and ineffective in all crypto curren- 
cies which have copied the mechanisms in place in bitcoin. Overall, many crypto 
currencies make such attacks too easy. They becomes possible and profitable at 
particular moments in time known in advance. We do not know a single crypto 
currency which in our view would have been correctly designed and engineered 
in order to protect our money. On the contrary. 

13.1 What's Wrong? 

We discovered that neither Satoshi nor bitcoin developers have EVER 
mandated any sort of transaction timestamp in bitcoin software. This can 
be seen as an expression of some sort of strange ideology: giving an impression 
that maybe the Longest Chain Rule does solve the problems in an appropriate 
way. However clearly this rule is inadequate, it has definite perverse effects and 
it is in fact simply dangerous and encourages criminal activity. Double spending 
events are not only facilitated by this exact rule as we show in this paper but 
they are not even recorded in the current bitcoin network, cf. [10]. 

The Longest Chain Rule is not exactly dead. It is probably OK for deciding for 
which blocks miners will be attributed a monetary reward (though more stable 
mechanisms could be proposed). However there is no reason why the same 
exact slow and unstable mechanism would also be used to decide which 
transactions are valid. This is NOT a feature, it is a bug. An engineering 
mistake on behalf of Satoshi Nakamoto, the founder of bitcoin. It affects not only 
the security of bitcoin but also its usability: it makes transactions unnecessarily 
slow, especially for larger transactions which require more confirmations. 

13.2 A Vulnerability Which is Programmed To Get Worse 

In this paper we initiate something which could be called a Theory of Pro- 
grammed Self- Destruction of Crypto Currencies. We look at built-in properties 
in crypto currencies and we point out the combined effect of several factors. 
We observe that vulnerability to double spending attacks is very closely affected 
by build-in deflationary miner reward policies and the fact that these policies 
in their current implementation mandate abrupt and sudden jumps. These mo- 
ments are likely to coincide with dates on which the hash power is going to 



dramatically fall, most probably in August 2016 for bitcoin, and much sooner, 
at several moments during 2014 for Dogecoin, Unobtanium and many other ex- 
isting coins. At one moment the protection cushion which is provided by the high 
hash rate goes away overnight. It becomes possible to execute double spending 
attacks. More importantly, we show that such attacks can be executed WITH- 
OUT the knowledge of miners which participate in the attack, see Section 8.1. 
In Section 8.3 we describe a further realistic attack scenario in which this is done 
without the knowledge of pool managers. 



Deflationary monetary policy + 
sudden jumps in miner reward 



The Longest Chain Rule 
and associated blockchain attacks 



Cloud mining, competing crypto 
currencies and malicious pools 



Rapid displacement of hash power and predicted decline or/and self-destruction of crypto currencies 



Criminal exploitation, increased 
risks to bitcoin exchanges 



Reinforcement of monopolies of 
stronger crypto currencies 



Eroded confidence in 
all virtual currencies 



Fig. 15. The built-in risks and dangers in current digital currencies. 

In this paper we have identified the DNA responsible for the epidemics of 
programmed self-destruction which is already affecting more than one crypto 
coin quite badly with rapid outflow of hash power within days/hours: cf. Section 
10 and 11. We conjecture that for small coins, the Longest Chain Rule alone is 
sufficient to kill them. For large coins which dominate the market, it is still most 
probably fatal in the long run when it occurs in combination with deflationary 
monetary policies and in a competitive market environment. 



13.3 How To Fix It 

It is possible to sec that the potentially harmful properties of bitcoin and other 
crypto currencies which we study on the present paper are not fatal. There is 
no doubt that the virtual currency technology could be improved or fixed in 
order to implement more reasonable rules. However it appears that a majority 
of existing crypto currencies have copied the unreasonable Longest Chain Rule 
of bitcoin and made things substantially worse by mandating substantially faster 
transitions in monetary policy and reward rules. 

In Section 7.2 we propose a method to modify the process of deciding which 
transactions are valid in a crypto currency. This method is expected to solve the 
problem of double spending in a better way and also dramatically improve the 
speed of transactions in crypto currencies. More research on such solutions is 
needed. The bottom line is that bitcoin software MUST change and implement 
timestamps for transactions and use them to prevent and police double spend- 



ing better than with blockchain alone. Current situation leads to attacks which 
should simply not exist in a crypto currency. 

13.4 Discussion 

We should think twice before saying that what Satoshi did was wrong or mis- 
taken. In Section 12 we show that current bitcoin specification makes that bitcoin 
currency has a privileged position. Smaller bitcoin competitors which use the 
same hash function are rather unable to survive, cf. Section 10 and 11. Bitcoin 
tends to remain in a monopoly situation while smaller alt-coins are in trou- 
ble, even if they copy its mechanisms exactly. Satoshi and other early adopters 
may then hope that nobody will challenge bitcoin and they will be able to earn 
hundreds of millions of dollars selling their coins, cf. Section 2.6 and 12.3. 

Remark: Litecoin which uses a different hash function escapes this rule 
and creates a dominating position in its own space. Here it has been recently 
challenged by Dogecoin which has achieved a comparable hash rate in February 
2014. Unhappily as we show in this paper, the hash rate of Dogecoin is now 
bound to substantially deflate. It has already become highly vulnerable to double 
spending attacks, which can be executed by one single miner, cf. Section 11.5. 

13.5 Investors and Alt-Coin Designers in Trouble 

In this paper we have studied how hundreds of millions of dollars were invested 
in bitcoin. On one side it is a bubble, on the other side it is an investment. 
An investment in building secure distributed hashing infrastructure which has 
costcd hundreds of millions dollars and consumes tens of megawatts in electricity. 
In this paper we show that this investment does NOT do the job correctly. We 
claim that large hash power is neither necessary nor sufficient in order to 
run a digital currency system. We contend that this expensive electronic notary 
infrastructure is not needed for bitcoin to function correctly. It is not justified by 
security against double spending. Now it may appear necessary, because bitcoin 
and other digital currencies have not really tried to protect themselves against 
double spending attacks. Current digital currencies simply do allow blockchain 
manipulation to affect transactions too easily (cf. Fig. 7 page 21). 

The current monopoly rent situation for bitcoin (if there is one) is more 
accidental than deserved. It is rather due to the fact that competitors of bitcoin 
have not done enough in order to design reasonable crypto currencies (cf. Section 
7.2). In fact it is possible to believe that they have been excessively naive and 
they have fallen into a specific sort of deadly trap. They have copied those exact 
mechanisms in bitcoin which mandate programmed destruction of all 
(weaker) crypto currencies which implement them. Moreover many alt- 
coins have accelerated this processus greatly by programming many consecutive 
very fast transitions to occur within months. 

Current alt-coin crypto currencies are also ideal candidates for "pump and 
dump" investment strategies in which the decline is bound to happen at exact 
predicted moments in time. 
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